Brief purpose of API: Let content access files based on name and type. Can be enumerated.
- Use excessive resources (file space), read files, change or delete files.
- Files could potentially contain confidential information.
- Create files with incriminating / illegal information, then call the cops
- Create files that other apps can look for to control their behavior
Threat severity: high to critical - privacy concerns, loss of user data, access to confidential data.
- Security discussion: https://groups.google.com/group/mozilla.dev.webapps/browse_thread/thread/9b5e3f55ea2c42f8
|Type||Use Cases||Authorization Model||Notes & Other Controls|
|Web Content||None||No direct access (access via web activities)|
|Installed Web Apps||None||No direct access (access via web activities)|
|Privileged Web Apps||Photo gallery, camera app that displays photos, any app that saves data will likely want to read it back.||Explicit||
|Certified Web Apps||Notify an app if the user is idle.||Implicit|
Ideally permission should be given on a type basis (i.e. enforce the "intended usage" at runtime). So giving permission to access music doesn't automatically give permission to photos. If the type is a string literal when the code is reviewed, that would mitigate the issue. Otherwise sub-permissions for types (device-storage.music) or separate permissions for each type (device-storage-music) would be needed. Also has the benefit that it allows the permission prompt to be more explicit about what is being granted.